Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
File Path: /home/runner/.m2/repository/org/eclipse/jetty/apache-jsp/10.0.19/apache-jsp-10.0.19.jar MD5: f2c8f0dc627514318c6528139622e7d6 SHA1: 9055d4f466701d031359aef22f6cecac679e5ba3 SHA256:daf8c88e1dfa0ff68090beb6cea3dea4d56e20cdbe0f7f4e2546ef6716466247 Referenced In Project/Scope: waffle-jetty:provided apache-jsp-10.0.19.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
apache-jsp
High
Vendor
jar
package name
apache
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
jsp
Highest
Vendor
Manifest
build-jdk-spec
21
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2022 Mort Bay Consulting Pty Ltd and others.
ASM, a very small and fast Java bytecode manipulation framework
License:
BSD-3-Clause: https://asm.ow2.io/license.html
File Path: /home/runner/.m2/repository/org/ow2/asm/asm/9.6/asm-9.6.jar MD5: 6f8bccf756f170d4185bb24c8c2d2020 SHA1: aa205cf0a06dbd8e04ece91c0b37c3f5d567546a SHA256:3c6fac2424db3d4a853b669f4e3d1d9c3c552235e19a319673f887083c2303a1 Referenced In Project/Scope: waffle-jetty:provided asm-9.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.ow2.asm/asm-commons@9.6
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
asm
High
Vendor
jar
package name
asm
Highest
Vendor
jar
package name
objectweb
Highest
Vendor
Manifest
bundle-docurl
http://asm.ow2.org
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Vendor
Manifest
bundle-symbolicname
org.objectweb.asm
Medium
Vendor
pom
artifactid
asm
Highest
Vendor
pom
artifactid
asm
Low
Vendor
pom
developer email
ebruneton@free.fr
Low
Vendor
pom
developer email
eu@javatx.org
Low
Vendor
pom
developer email
forax@univ-mlv.fr
Low
Vendor
pom
developer id
ebruneton
Medium
Vendor
pom
developer id
eu
Medium
Vendor
pom
developer id
forax
Medium
Vendor
pom
developer name
Eric Bruneton
Medium
Vendor
pom
developer name
Eugene Kuleshov
Medium
Vendor
pom
developer name
Remi Forax
Medium
Vendor
pom
groupid
org.ow2.asm
Highest
Vendor
pom
name
asm
High
Vendor
pom
organization name
OW2
High
Vendor
pom
organization url
http://www.ow2.org/
Medium
Vendor
pom
parent-artifactid
ow2
Low
Vendor
pom
parent-groupid
org.ow2
Medium
Vendor
pom
url
http://asm.ow2.io/
Highest
Product
file
name
asm
High
Product
jar
package name
asm
Highest
Product
jar
package name
objectweb
Highest
Product
Manifest
bundle-docurl
http://asm.ow2.org
Low
Product
Manifest
Bundle-Name
org.objectweb.asm
Medium
Product
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Product
Manifest
bundle-symbolicname
org.objectweb.asm
Medium
Product
Manifest
Implementation-Title
ASM, a very small and fast Java bytecode manipulation framework
Usefull class adapters based on ASM, a very small and fast Java bytecode manipulation framework
License:
BSD-3-Clause: https://asm.ow2.io/license.html
File Path: /home/runner/.m2/repository/org/ow2/asm/asm-commons/9.6/asm-commons-9.6.jar MD5: 9e317c75534bd1da8c00a67c618ab288 SHA1: f1a9e5508eff490744144565c47326c8648be309 SHA256:7aefd0d5c0901701c69f7513feda765fb6be33af2ce7aa17c5781fc87657c511 Referenced In Project/Scope: waffle-jetty:provided asm-commons-9.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT
Tree API of ASM, a very small and fast Java bytecode manipulation framework
License:
BSD-3-Clause: https://asm.ow2.io/license.html
File Path: /home/runner/.m2/repository/org/ow2/asm/asm-tree/9.6/asm-tree-9.6.jar MD5: 6062608f1a98afe1e853d01fa1221a9e SHA1: c0cdda9d211e965d2a4448aa3fd86110f2f8c2de SHA256:c43ecf17b539c777e15da7b5b86553b377e2d39a683de6285567d5283888e7ef Referenced In Project/Scope: waffle-jetty:provided asm-tree-9.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.ow2.asm/asm-commons@9.6
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
asm-tree
High
Vendor
jar
package name
asm
Highest
Vendor
jar
package name
objectweb
Highest
Vendor
jar
package name
tree
Highest
Vendor
Manifest
bundle-docurl
http://asm.ow2.org
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Vendor
Manifest
bundle-symbolicname
org.objectweb.asm.tree
Medium
Vendor
Manifest
module-requires
org.objectweb.asm;transitive=true
Low
Vendor
pom
artifactid
asm-tree
Highest
Vendor
pom
artifactid
asm-tree
Low
Vendor
pom
developer email
ebruneton@free.fr
Low
Vendor
pom
developer email
eu@javatx.org
Low
Vendor
pom
developer email
forax@univ-mlv.fr
Low
Vendor
pom
developer id
ebruneton
Medium
Vendor
pom
developer id
eu
Medium
Vendor
pom
developer id
forax
Medium
Vendor
pom
developer name
Eric Bruneton
Medium
Vendor
pom
developer name
Eugene Kuleshov
Medium
Vendor
pom
developer name
Remi Forax
Medium
Vendor
pom
groupid
org.ow2.asm
Highest
Vendor
pom
name
asm-tree
High
Vendor
pom
organization name
OW2
High
Vendor
pom
organization url
http://www.ow2.org/
Medium
Vendor
pom
parent-artifactid
ow2
Low
Vendor
pom
parent-groupid
org.ow2
Medium
Vendor
pom
url
http://asm.ow2.io/
Highest
Product
file
name
asm-tree
High
Product
jar
package name
asm
Highest
Product
jar
package name
objectweb
Highest
Product
jar
package name
tree
Highest
Product
Manifest
bundle-docurl
http://asm.ow2.org
Low
Product
Manifest
Bundle-Name
org.objectweb.asm.tree
Medium
Product
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Product
Manifest
bundle-symbolicname
org.objectweb.asm.tree
Medium
Product
Manifest
Implementation-Title
Tree API of ASM, a very small and fast Java bytecode manipulation framework
Byte Buddy is a Java library for creating Java classes at run time.
This artifact is a build of Byte Buddy with all ASM dependencies repackaged into its own name space.
File Path: /home/runner/.m2/repository/net/bytebuddy/byte-buddy/1.14.11/byte-buddy-1.14.11.jar MD5: c28e36075a114b176953fc10a5370be7 SHA1: 725602eb7c8c56b51b9c21f273f9df5c909d9e7d SHA256:62ae28187ed2b062813da6a9d567bfee733c341582699b62dd980230729a0313 Referenced In Project/Scope: waffle-jetty:compile byte-buddy-1.14.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT
File Path: /home/runner/.m2/repository/net/bytebuddy/byte-buddy-agent/1.14.11/byte-buddy-agent-1.14.11.jar MD5: 0de12734d808654692599b08ccd84020 SHA1: f9cb566608fbac6bc7bf54901a7aa11543a989ee SHA256:2f537a621a64fa7013d68c695a76a34ee8d79dad74e635caca16dd56257aeb80 Referenced In Project/Scope: waffle-jetty:compile byte-buddy-agent-1.14.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/github/ben-manes/caffeine/caffeine/3.1.8/caffeine-3.1.8.jar MD5: b19301179903e8781776397d9923f7c8 SHA1: 24795585df8afaf70a2cd534786904ea5889c047 SHA256:7dd15f9df1be238ffaa367ce6f556737a88031de4294dad18eef57c474ddf1d3 Referenced In Project/Scope: waffle-jetty:compile caffeine-3.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.3.1-SNAPSHOT
checker-qual contains annotations (type qualifiers) that a programmer
writes to specify Java code for type-checking by the Checker Framework.
License:
The MIT License: http://opensource.org/licenses/MIT
File Path: /home/runner/.m2/repository/org/checkerframework/checker-qual/3.42.0/checker-qual-3.42.0.jar MD5: 4c55448dcbfe9c3702f7758fc8fe0086 SHA1: 638ec33f363a94d41a4f03c3e7d3dcfba64e402d SHA256:ccaedd33af0b7894d9f2f3b644f4d19e43928e32902e61ac4d10777830f5aac7 Referenced In Project/Scope: waffle-jetty:compile checker-qual-3.42.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.3.1-SNAPSHOT
Referenced In Project/Scope: waffle-jetty com.github.waffle:waffle-jna:3.3.1-SNAPSHOT is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT
Eclipse Public License - v 2.0: https://www.eclipse.org/legal/epl-2.0/
File Path: /home/runner/.m2/repository/org/eclipse/jdt/ecj/3.33.0/ecj-3.33.0.jar MD5: 8f97ca731449b0dd4cbf23aa34774c6f SHA1: 4041d27ffea3c9351e3121f9bfe94dea4723d583 SHA256:f7686c4960cf70c2ebc5c500a73a8cfc04541b730c18f1c5c21329889b137f45 Referenced In Project/Scope: waffle-jetty:provided ecj-3.33.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT
File Path: /home/runner/.m2/repository/com/google/errorprone/error_prone_annotations/2.24.1/error_prone_annotations-2.24.1.jar MD5: 345bbebec9b3c68d2638c0f6809436dc SHA1: 32b299e45105aa9b0df8279c74dc1edfcf313ff0 SHA256:19fe2f7155d20ea093168527999da98108103ee546d1e8b726bc4b27c31a3c30 Referenced In Project/Scope: waffle-jetty:provided error_prone_annotations-2.24.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT
A set of annotations that provide additional information to the J2ObjC
translator to modify the result of translation.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/google/j2objc/j2objc-annotations/2.8/j2objc-annotations-2.8.jar MD5: c50af69b704dc91050efb98e0dff66d1 SHA1: c85270e307e7b822f1086b93689124b89768e273 SHA256:f02a95fa1a5e95edb3ed859fd0fb7df709d121a35290eff8b74dce2ab7f4d6ed Referenced In Project/Scope: waffle-jetty:provided j2objc-annotations-2.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT
File Path: /home/runner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar MD5: 8b165cf58df5f8c2a222f637c0a07c97 SHA1: 59eb84ee0d616332ff44aba065f3888cf002cd2d SHA256:85fb03fc054cdf4efca8efd9b6712bbb418e1ab98241c4539c8585bbc23e1b8a Referenced In Project/Scope: waffle-jetty:provided jakarta.annotation-api-1.3.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT
Jakarta Expression Language provides a specification document, API, reference implementation and TCK
that describes an expression language for Java applications.
File Path: /home/runner/.m2/repository/org/glassfish/jakarta.el/3.0.4/jakarta.el-3.0.4.jar MD5: a4ff0d711c405e054f8166c2ea893e0e SHA1: f48473482c0e3e714f87186d9305bcae30b7f5cb SHA256:3b8d4311b47fb47d168ad4338b6649a7cc21d5066b9765bd28ebca93148064be Referenced In Project/Scope: waffle-jetty:provided jakarta.el-3.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT
File Path: /home/runner/.m2/repository/jakarta/el/jakarta.el-api/3.0.3/jakarta.el-api-3.0.3.jar MD5: 528ed6138395d22fb54912b2b889e88e SHA1: f311ab94bb1d4380690a53d737226a6b879dd4f1 SHA256:47ae0a91fb6dd32fdaa5d9bda63df043ac8148e00c297ccce8ab9c56b95cf261 Referenced In Project/Scope: waffle-jetty:provided jakarta.el-api-3.0.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT
File Path: /home/runner/.m2/repository/jakarta/servlet/jakarta.servlet-api/4.0.2/jakarta.servlet-api-4.0.2.jar MD5: 75523dea16c815e4b111796ea1679b1b SHA1: 60da427ed588aa0cf70cb6cb7209c31e83069364 SHA256:0cd32c92320ae92c8692ef326dfeef756e97760251fca0c45472f299f1c3c916 Referenced In Project/Scope: waffle-jetty:provided jakarta.servlet-api-4.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.web/jakarta.servlet.jsp.jstl@1.2.6
File Path: /home/runner/.m2/repository/org/glassfish/web/jakarta.servlet.jsp/2.3.6/jakarta.servlet.jsp-2.3.6.jar MD5: 16d8baeceb5503f066c61582085c75cb SHA1: 13192d5874b787c0ce0c70b35e95181e8b683a1c SHA256:990af769158db75833fe8b4d1e56ea778246bc3c6522d434369f1a0bcebf8582 Referenced In Project/Scope: waffle-jetty:provided jakarta.servlet.jsp-2.3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT
File Path: /home/runner/.m2/repository/jakarta/servlet/jsp/jakarta.servlet.jsp-api/2.3.6/jakarta.servlet.jsp-api-2.3.6.jar MD5: 07e4d801fad7599ae858cb6b779b5168 SHA1: ee48550ece1af1e0d8bd4877dbc6da5c29c5496b SHA256:e915fa9db7245592460dfaf1a2df9cdfe800cc3976562ed492870db56369dde9 Referenced In Project/Scope: waffle-jetty:provided jakarta.servlet.jsp-api-2.3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT
File Path: /home/runner/.m2/repository/org/glassfish/web/jakarta.servlet.jsp.jstl/1.2.6/jakarta.servlet.jsp.jstl-1.2.6.jar MD5: 7058e8ed0b161b729e6134784750d22b SHA1: f5a092de3b2b087c14ca4b8d6f2c77a1f6802828 SHA256:3b697c6cdf4d28de185e07d63f3682728b5a2b1dd229f5f9deb9b930d64b484a Referenced In Project/Scope: waffle-jetty:provided jakarta.servlet.jsp.jstl-1.2.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT
File Path: /home/runner/.m2/repository/jakarta/servlet/jsp/jstl/jakarta.servlet.jsp.jstl-api/1.2.4/jakarta.servlet.jsp.jstl-api-1.2.4.jar MD5: 5b4683c3a614b37a5de721817e792024 SHA1: 9d23cda192df1192894277fd9d0710abb61329af SHA256:57122ab0151f82e716d825e65627e8064eb108dbeaafafa780687d61d5359454 Referenced In Project/Scope: waffle-jetty:provided jakarta.servlet.jsp.jstl-api-1.2.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.glassfish.web/jakarta.servlet.jsp.jstl@1.2.6
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/slf4j/jcl-over-slf4j/2.0.11/jcl-over-slf4j-2.0.11.jar MD5: 7ad2cbcec0efd8cfc8f3a6dfacfc5829 SHA1: f6226edb8c85f8c9f1f75ec4b0252c02f589478a SHA256:55e96f9830d732c81f0709e9090f308798381be7dc5aa67dd423c02831b5b4bb Referenced In Project/Scope: waffle-jetty:compile jcl-over-slf4j-2.0.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.3.1-SNAPSHOT
File Path: /home/runner/.m2/repository/org/eclipse/jetty/jetty-io/10.0.19/jetty-io-10.0.19.jar MD5: 2a17076c238062f9d3ef947282347d3b SHA1: 1a08ba2c33c92d7d1f2a9dd8b87653c237756921 SHA256:4ec28fd3717eebfa3b3ac3d692d89889ac0a5282ba129b7d7ce4682abe778158 Referenced In Project/Scope: waffle-jetty:provided jetty-io-10.0.19.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.eclipse.jetty/jetty-client@10.0.19
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-io
High
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
io
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
build-jdk-spec
21
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2022 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.dev/jetty/
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-11
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.io
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://eclipse.dev/jetty/
Low
Vendor
pom
artifactid
jetty-io
Highest
Vendor
pom
artifactid
jetty-io
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: IO Utility
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-io
High
Product
jar
package name
eclipse
Highest
Product
jar
package name
io
Highest
Product
jar
package name
jetty
Highest
Product
Manifest
build-jdk-spec
21
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2022 Mort Bay Consulting Pty Ltd and others.
File Path: /home/runner/.m2/repository/org/eclipse/jetty/jetty-server/10.0.19/jetty-server-10.0.19.jar MD5: 885901771fa61efe91135936572573e5 SHA1: 5a0f3f4118cd80cbdfa38f162e1ccd50afc8cae6 SHA256:f61b8eace7df3f9394db0e7e1e00f8db2fed4ecda57f269720b80f394ba9d46a Referenced In Project/Scope: waffle-jetty:provided jetty-server-10.0.19.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.eclipse.jetty/jetty-servlet@10.0.19
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-server
High
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
server
Highest
Vendor
Manifest
build-jdk-spec
21
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2022 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.dev/jetty/
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-11
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.server
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
url
https://eclipse.dev/jetty/
Low
Vendor
pom
artifactid
jetty-server
Highest
Vendor
pom
artifactid
jetty-server
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: Server Core
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-server
High
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
server
Highest
Product
Manifest
build-jdk-spec
21
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2022 Mort Bay Consulting Pty Ltd and others.
File Path: /home/runner/.m2/repository/org/eclipse/jetty/toolchain/jetty-servlet-api/4.0.6/jetty-servlet-api-4.0.6.jar MD5: d63413e02885c25d0129e3d2936606f6 SHA1: 959c5d83d08f5cddf56caff749e48b735193191b SHA256:d90bf1f8a9d2ba89f4510bb51e1516dcf94ef6dc034e00f233654abdd78f2210 Referenced In Project/Scope: waffle-jetty:provided jetty-servlet-api-4.0.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.eclipse.jetty/apache-jsp@10.0.19
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-servlet-api
High
Vendor
jar
package name
servlet
Highest
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-11
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.servlet-api
Medium
Vendor
pom
artifactid
jetty-servlet-api
Highest
Vendor
pom
artifactid
jetty-servlet-api
Low
Vendor
pom
groupid
org.eclipse.jetty.toolchain
Highest
Vendor
pom
name
Jetty :: Servlet API and Schemas for JPMS and OSGi
High
Vendor
pom
parent-artifactid
jetty-toolchain
Low
Product
file
name
jetty-servlet-api
High
Product
jar
package name
servlet
Highest
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Product
Manifest
Bundle-Name
Eclipse Jetty Servlet API and Schemas for JPMS and OSGi
Medium
Product
Manifest
bundle-requiredexecutionenvironment
JavaSE-11
Low
Product
Manifest
bundle-symbolicname
org.eclipse.jetty.servlet-api
Medium
Product
pom
artifactid
jetty-servlet-api
Highest
Product
pom
groupid
org.eclipse.jetty.toolchain
Highest
Product
pom
name
Jetty :: Servlet API and Schemas for JPMS and OSGi
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), CWE-190 Integer Overflow or Wraparound
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), NVD-CWE-noinfo
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Insecure Permissions, NVD-CWE-Other
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
NVD-CWE-Other, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: /home/runner/.m2/repository/net/java/dev/jna/jna/5.14.0/jna-5.14.0.jar MD5: 8b3cc652920435ad9f801e6d9b2a3497 SHA1: 67bf3eaea4f0718cb376a181a629e5f88fa1c9dd SHA256:34ed1e1f27fa896bca50dbc4e99cf3732967cec387a7a0d5e3486c09673fe8c6 Referenced In Project/Scope: waffle-jetty:compile jna-5.14.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.3.1-SNAPSHOT
File Path: /home/runner/.m2/repository/net/java/dev/jna/jna-platform/5.14.0/jna-platform-5.14.0.jar MD5: 3bc3f09a698e6ad250dd093f64fbb8a7 SHA1: 28934d48aed814f11e4c584da55c49fa7032b31b SHA256:ae4caceb3840730c2537f9b7fb55a01baba580286b4122951488bcee558c2449 Referenced In Project/Scope: waffle-jetty:compile jna-platform-5.14.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.3.1-SNAPSHOT
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar MD5: dd83accb899363c32b07d7a1b2e4ce40 SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7 Referenced In Project/Scope: waffle-jetty:provided jsr305-3.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.spotbugs/spotbugs-annotations@4.8.3
File Path: /home/runner/.m2/repository/org/slf4j/slf4j-api/2.0.11/slf4j-api-2.0.11.jar MD5: 90c46a2d4613049843c804867321e6a7 SHA1: ad96c3f8cf895e696dd35c2bc8e8ebe710be9e6d SHA256:ce0e71d673acb9036bb55d0244b261cf033f8e4c1245f14f931dfb1937dd4c95 Referenced In Project/Scope: waffle-jetty:compile slf4j-api-2.0.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.3.1-SNAPSHOT
GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html
File Path: /home/runner/.m2/repository/com/github/spotbugs/spotbugs-annotations/4.8.3/spotbugs-annotations-4.8.3.jar MD5: cd5917b77643c3a7ba5420aea78f940c SHA1: 05d2dc4ca5b632976371155252499819aea372ed SHA256:e5d4f60be8e57595766ba7f1d4535dc46aebf98dae05e16372a4d4120d3ebb6b Referenced In Project/Scope: waffle-jetty:provided spotbugs-annotations-4.8.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jetty@3.3.1-SNAPSHOT